Toorcon 18 CTF – Forensics 250

I had a ton of fun at the Toorcon 18 CTF. On the second day of the CTF a bonus forensics challenge popped up. During the first day our forensics guy had showed me how to use Volatility so I figured I would take a crack at it. I usually don’t do forensics challenges so I knew this would be a good opportunity to learn.

Examining the file

the challenge was called Eric’s Password and we were given a file called pbrane-eric.gz. The extracted file had no file extension as seen below:

screen-shot-2016-10-20-at-10-06-41-pm

I started by running Volatility with the with the imageinfo command. This will give you information about the image and help you to determine the correct profile to use. Profiles are used to correctly perform the memory mapping:

vol.py -f <filename> imageinfo

screen-shot-2016-10-20-at-10-01-16-pm

Dumping files

Next I ran a filescan to see if it would yield any results because this was the path used to retrieve the flag on a previous challenge. This didn’t give me any flags but is useful to know:

vol.py --profile=<profilename> filescan -f <filename>

screen-shot-2016-10-20-at-10-01-31-pm

Hash Dumping

Next I figured if we were looking for passwords why not try to run a hashdump on the image. After referencing the usage guide I determined that I needed to get the hivelist first to determine the memory location of of the SAM file:

vol.py --profile=<profilename> -f <filename> hivelist

screen-shot-2016-10-20-at-10-00-23-pm

Then I used this information to run hashdump:

vol.py --profile=<profilename> -f <filename> hashdump -s <SAM memory location>

screen-shot-2016-10-20-at-10-00-03-pm

We cracked the password but quickly discovered that this wasn’t the flag. I did a bit of Googling after this to determine other password dumping techniques. this led me to the next possibility.

Dumping passwords with Mimikatz

Next we discovered that you could use a plugin that would run mimikatz on the image that can be found here. In this case you have to specify the plugin. I was attempting to do this with OSX but had to switch to Kali Linux for some reason to get this working correctly:

volatility --plugins=<plugin location> --profile=<profilename> -f <filename> mimikatz

volatility-mimikatz

We put the flag into the scoreboard and determined that we were successful! Very interesting technique and a great learning experience. I had to go outside my normal comfort zone to conquer this one and it was well worth it.

Resources

Post navigation